Tuesday, January 21, 2014

Filesystem and Registry Virtualization in UAC

This article/blog discusses the filesystem (FS) and registry virtualization as done by UAC in order to support legacy applications and still avoid giving them full administrator access to critical filesystem and registry areas. FS and registry virtualization are main
components of the UAC in Windows.
We will look at the why, who and what of FS and registry virtualization.

Why Virtualization ?

·The applications from XP era (when applications
ran in assumed administrative privileges) that needed to run with administrator privileges
can now work in Vista because when they try to access the filesystem or
registry they are given virtual fs and registry.

Starting from Windows Vista the users, even
those who are members of the local admin group, cannot be the administrators
constantly. This is so that the users do
not cause any damage to the system by accident or by malicious intent. The applications
who presumed administrator access had compatibility problems with Windows
Vista. This is a problem for legacy applications which is solved using
filesystem and registry namespace virtualization.

·The purpose of virtualization is to only fix
compatibility issues. New applications written in the post vista era should not
be written with the assumption that they are the admin user unless absolutely
necessary.

What problem does Virtualization address ?

In the times of XP, the standard user did not have
permission to write to “Program Files” or the HKEY_LOCAL_MACHINE”, but normally
windows computers are a single user environment and users have enjoyed local
admin privileges.

What Microsoft recommends is the following:

a. Application install in the “Program files” directory b. The settings for the software can be saved in a registry key under HKEY_LOCAL_MACHINE\Softwaresc. The applications can run from the “Program Files” folder and will be executed by different users. The data for each user will be stored in the AppData folder under “documents and settings” d. The applications settings for individual users will be stored in the key: HKEY_CURRENT_USERS\Software

How does virtualization solve the ProblemWhen a user’s application tries to access system location (like Program Files) and gets an access denied error, Windows Vista re-directs the request to a user area for that particular user like the LocalAppData folder under C:\Users\<username>\AppData\Local\VirtualStore\Program Files.This process of detecting an error and intervening is called ‘trap’ping and is done by the Virtualization File Driver Luafv.sys (%SystemRoot%/System32/Drivers/luafv.sys).Similarly in case of registry access the process is re-directed to HKEY_CURRENT_USERS\Software\Classes\VirtualStore\Machine\Software\AppNameOrVendorName. The first process that tries to access has this VirtualStore folder created, others don’t need to.On repeated access attempts luafv.sys traps and redirects again to the virtual location. The application remains blind to the underlying virtualization taking place and thinks that it is running in it’s assumed admin privileged mode.Luafv.sys is the driver that does the virtualization.If a process tries to access a piece of data from the Virtual Store and does not find it, Luafv.sys will look in the actual location.The redirection is illustrated in the diagram below:

About the Author: Saquib Farooq Malik, is a senior
Information Security Consultant at ITButler e-Services(www.itbutler.com.au) .
Saquib Specializes in Vulnerability Assessment and Penetration Testing,
implementations of ISO 27001 in different corporate environments in the Middle
East.

He is a CISSP, an ITILv3 Foundation certified professional,
ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension
Certified Engineer.